A Complete Guide To The Shield Security Scans

Shield Security helps you to detect and eliminate Infected/malware files and prevent future hacks completely automatically, using its powerful Scans & Integrity Zone which is composed of various components - automatic scanners.

Here, we’ve put together an informative, complete guide to the Shield scans. By following the steps outlined in this guide, you will learn how to 
  • configure scans through Scans & Integrity Zone
  • set email alert reporting from scans
  • run scans and what to do next
  • review scan results details & take actions (with examples)
We also answer most common questions related to scans. 
Before we get started, please note that the certain scanners & options are available in ShieldPRO only

#1 Configuration 

The first step to do is to configure scanners under the Scans Zone and this is how to do that...

The 'File Scans and Malware' section

1) Enable 'Automatic WordPress File Scanner' (recommended)

This is a single filesystem scanner which is a combination of the 4 scanners:

2) Select file scan areas (recommended)

Select which areas of your WordPress site you want to be scanned.

3) Repair files automatically (optional)

If you're a beginner, best is not to do that for now. We suggest getting familiar with the entire scan process first and then you can let the Shield do this automatically for you later on.

4) Lock files against tampering and changes (recommended)

[Pro Only] Enable ' File Locker'.

This will detect changes to the most important files, then lets you examine contents and revert as required. 

5)  Auto filter results/scan exclusions (optional)
[Pro Only] You can exclude file/folder paths you don't want to be scanned by the 'Automatic WordPress File Scanner' (optional).
Important: If there is an empty file, it won't show in the scan results. This type of file is irrelevant, does not pose any security risk and will be excluded automatically.

The 'Vulnerabilities, Plugins, Themes' section

1) [Pro Only] Configure 'Update Delay' feature (recommended)

Shield will delay upgrades until the new update has been available. This helps ensure updates are more stable before they're automatically applied to your site.

2) Enable the 'Abandoned Plugin Scanner' (recommended)

This will scan plugins on your site for whether they've been abandoned.

3) [Pro Only]   Enable the ' Vulnerability Scanner ' (recommended)

This will scan your list of the installed plugins/themes and compare their current versions against a list of known plugin/theme vulnerabilities.

[Pro Only] You can also apply updates automatically to vulnerable plugins/themes.

The Scan Options section

1) Optimise file scans (optional)

Enable ' Optimise File Scans' option to optimise file scans to run much faster.

Important: If you experience any errors in your logs or strange scanning behaviour, disable this option.

2) [Pro Only] Set the daily scan frequency (recommended)

To improve security, increase the number of times to run all scans per day.

By default, the hour at which the cron is set to run is 3 a.m. You can override the hour at which the Shield crons run, including the scans by using this filter:

https://gist.github.com/paulgoodchild/6a4d299a21246ca1c058335dfb352a29

3) [Pro Only] Show re-install links (optional)

This will show links to re-install plugins and offer re-install when activating plugins.

#2  Set email alerts from your site scans

This setting can be found under the main Config menu > General Settings > Reports section.

1) Set Alert Frequency Report (recommended)

Critical alerts are typically results from your most recent site scans. You can choose how often important alerts from scans will be sent to you by email.

Tip: You can also get instant alert emails

  • when the Shield plugin is deactivated
  • discovery of any vulnerable plugin/theme
  • to any changes to FileLocker items

Read more about this here.

#3 Run scans

You can let the scans run automatically for you. How often they'll run depends on your 'Scan Frequency' setting (explained above).

Each time the scans are completed, the results will be displayed in the Scan Results. 

If you want to do manual scans, for any reason, you can access the Run Manual Scan option from the Action Menu.

#4 Review scan results details & take actions

So, when the scans are completed (either automatically or manually by you), you'll need to 

  1. Review the scan results details through Scan Results page
  2. Take actions (decide what you want to do with them)

Here are examples of the Scan Results page for each scanner and what actions are available. 

1) WP Core File Scanner

There are modified and missing WP core files detected. 

Before you take any action, best is to review a file first. You can click on it from within scan results table to open it to see the original file content, the differences and other info. Or, download it. For example:

Then you can decide if you want to ignore or repair it. For example:

If ignored, file will be accepted (whitelisted) by the scanner and won't show up in the scan results in a future. 

2) Unrecognised File Scanner

Unrecognised files detected in the WP core. Review the file and then you can delete or ignore it. For example:

If you're unsure which unrecognised core files you should keep or delete, talk with your web host and they'll help you determine what's best for your site.

3) Plugin/Theme Guard Scanner -  plugin files

Modified plugin file detected. Review the file first and then you can repair or ignore it.

If you personally made changes to this file and you're sure it's legit, you can ignore it. 

The unrecognised plugin file can be deleted or ignored. 

Example:

If you're unsure which unrecognised plugin files you should keep (ignore) or delete, you may reach out the plugin author and ask them if those files are legit or not. If legit, you can click to ignore them. If not, you can delete.

Plugin/Theme Guard Scanner - theme files

Modified & unrecognised theme files detected. Review the files first. Then, you can repair or ignore modified file, or delete or ignore the unrecognised one. 

Example:

Same as for plugin files - if you personally made changes to this theme file and you're sure it's legit, you can ignore it. 

If you're unsure which unrecognised theme files you should keep (ignore) or delete, you may reach out the theme author and ask them if those files are legit or not. If legit, you can click to ignore them. If not, you can delete.

4) Vulnerabilities Scanner

Known plugin vulnerabilities detected. You'll need to upgrade plugin to the latest version. Just click the 'Update Available' link and upgrade. If no updates available yet, best is to remove the plugin for now. 

There is also a "More Info" link you can use to view the list of vulnerabilities and other info (vulnerabilities lookup). For example:

The vulnerable plugins will be flagged on the Plugins page as well.

5) The Abandoned Plugin Scanner

The abandoned plugin detected. You can ignore it or replace with an alternative because these plugins can pose a security risk.

6) Malware Scanner

WP core, plugin, theme files suspected of being malware. 

PHP Malware is a complex topic and scanning for malware is not simple. Please take a moment to read some of the help around this topic

Also, read about the Shield's AI-based Malware scanner here

You can check detected files with the AI-based Malware scanner as well. This will give an estimation as to whether a file is malware, or clean of malicious code. For example

So, you can examine these files first and then click to ignore, repair or delete them. 

Before you take any action, we highly recommend you to examine the files and read this help article:

Is This Malware?

Example: The unrecognised malware files detected in your core, plugin and theme - delete/ignore actions

7) File Locker

Example of the index.php file modified. You can review the changes and accept them, or restore the original file contents.

We hope that the above steps/details were helpful for you. Now, we are going to answer most common questions related to scans...

#5 Most common questions

How can I adjust scanner notices about plugin/theme update/active status?

You can use filters to adjust whether Shield warns about inactive plugins/themes or those with updates. 

I received alert report by email. What should I do next?

When you receive this email, you may click the "View Report" link:

It will direct you to the Scan Report page so you can review scan results details.

Example report:

Then, review the scan results and take actions (please see "#4 Review scan results details & take actions" above).

If there is nothing in scan results, please note that, depending on previous actions taken on the site or file system changes, the results received in alert email report may no longer be available to view.

Where can I find the list of files/plugins detected by the scans?

This can be seen in your WP Activity Log.

Example

Where can I see what files/plugins have been deleted/repaired/updated?

This can be also seen in your Activity Log. Here are a few examples:

Item repaired

Item deleted

Plugin upgraded (i.e. vulnerable plugin)

You'll also be notified by email.

Example: Plugin updated - email notification

Hint: If you need any information about scans activities, best is to use your Activity Log

How can I get instant alerts on the vulnerable plugins/themes and File Locker changes?

You can use "Instant Alerts" options detailed here.

File is flagged as "malware" but it isn't. What should I do?

If you examined a file and you're sure it's legit, you may click to ignore it in the Scan Results. When you do this, it sends that as a "false positive" signal to ShieldNET, so that in the future it probably won't be picked up on the scans. You may read more about this here.

How can I reveal the ignored scan results?

You can do this by using the 'Clear Ignore Flags' option, under the the Run Manual Scan.

Just select this option and click to run scans. The all previously ignored scan results will show up in the Scan Results page.

For example, if you are sure that there is a modified WP core file and that you may have ignored it, use this option to reveal it. 

How to un-hide the ignored, repaired and deleted scan results

You can use "Results Display Options" detailed here.

What is the difference between "unrecognised", "modified" and "unidentified" file?

The unrecognised file is a file that's been added to your site. This file is not a part of your original WP core, plugin or theme installation files. It can be manually deleted or ignored.

Modified file is a file that's been changed either by you or someone else. It can be automatically or manually repaired or manually ignored.

Unidentified file is a file that can't be defined. It's likely false-positive but best is to review it first, use MAL{ai} Lookup to ensure it's clean (see #6) Malware Scanner).

It's unlikely that it'll contain malware code but if it does, you can ask your host to remove that file for you. If the MAL{ai} lookup scan shows it's clean, you can click to ignore it from Scan Results table.

Can I set scanners to auto repair or delete modified/unrecognised files?

You can set scanners to auto repair modified files under the Scans section > Configure > File Scans and Malware > Automatic File Repair. 

However, the unrecognised files detected in the WP core, plugins, themes can't be set to auto delete because this is too risky. Maybe you need those files for the normal function of your site and if you auto delete it accidentally, site may break 

So, to remove the unrecognised files, you'll need to do that manually through Scan Results page by using either "Delete/Repair Selected" option or "Delete" icon, for example:

How does Shield repair i.e. plugin files?

If the plugin is on wordpress.org then we can download the files. if we can download the files we can replace the files on the site.
If we can replace the files on the site, we can repair the files by removing the existing file and replacing it with the file from wordpress.org.

Where can I find more information about Shield scans?

You may use our Knowledge Base here or use a "Search Box" inside the plugin area or help widget:

Apart from this, there are "info/blog" help links for each of the options, for example

Under the Scans section, there is also a help link for the complete guide to the scans:

If you still need help, this is how to reach out to us